Looks like there is a flaw on Facebook security when it comes to resetting account passwords. If a user did not delete an old phone number from their Facebook account. Anyone with that number can easier reset the Facebook account and change the user password. Not good if your life revolves around social media.
Link
Link